Software security firm Symantec has identified a group called Strider that’s aiming spying-related malware at individuals and organizations in Belgium, China, Russia and Sweden. Apparently active since at least late 2011, Strider has kept a low profile and could be a nation-state attacker, Symantec said.
Strider uses “stealthy,” hard-to-detect malware called Remsec that provides backdoor access to infected computers for stealing data, logging keystrokes and other actions, according to Symantec. The organization appears to be highly selective, with only 36 attacks against seven targets detected since October of 2011.
In a separate report released today, the cybersecurity company Kaspersky Lab identified the spying group as “ProjectSauron.” The name stems from a string in the malware’s keylogger module that includes the word “Sauron,” the main villain in J.R.R. Tolkien’s “The Lord of the Rings.”
Malware Resides ‘Only in Memory’
“Strider is capable of creating custom malware tools and has operated below the radar for at least five years,” Symantec’s Security Response team wrote yesterday in a blog post. “Based on the espionage capabilities of its malware and the nature of its known targets, it is possible that the group is a nation-state level attacker.”
The security team said it first detected Strider’s malware through its behavioral engine that uses machine learning to look for anomalous computer processes. The researchers then analyzed a sample of the Remsec malware they obtained from a customer.
Remsec uses a variety of modules that together work as “a framework that provides the attackers with complete control over an infected computer,” the Symantec team noted. The malware is difficult to detect in part because many of its features are “deployed over the network, meaning it resides only in a computer’s memory and is never stored on disk.”
Aimed at Government, Military Targets
In a report released today, Kaspersky Lab described the same malware as “ProjectSauron,” which it first detected in September.
“The suspicious module was an executable library, loaded in the memory of a Windows domain controller (DC),” Kasperksy’s Global Research and Analysis Team wrote today in a security note. “The library was registered as a Windows password filter and had access to sensitive data in cleartext. Additional research revealed signs of massive activity from a new threat actor that we codenamed ‘ProjectSauron,’ responsible for large-scale attacks against key governmental entities in several countries.”
The Kaspersky team said the malware has targeted more than 30 victim organizations in Russia, Iran and Rwanda, as well as some in Italian-speaking countries. The added that it’s likely many other targets in other regions could also be affected.
The key targets appear to be government and military organizations, scientific research centers, telecom operators and financial organizations, according to Kaspersky.
Orla Fox, Symantec’s director of security response, told Reuters that cybersecurity firms don’t often discover new types of malware like Remsec.
“Strider’s attacks have tentative links with a previously uncovered group, Flamer,” according to Symantec. Remsec’s use of modules written in the programming language Lua “is a technique that has previously been used by Flamer,” Symantec noted. “One of Striders targets had also previously been infected by Regin.”